Cert-manager certificate issuing with ClusterIssuer gets stuck on self-check

Rancher
1

Hello,
I have followed this tutorial for deploying cert-manager via Helm and Setting up a ClusterIssuer to issue certificates for subdomains. I think the installation of cert-manager and the ClusterIssuer is correct, but upon requesting a certificate, the process gets stuck in the self-check.

When I visit the .well-known/acme-challenge/ link that I find under Load Balancing within the cluster, I get the following reponse:

acme/autocert: host not configured

kubectl describe certificates yields

> kubectl describe certificates
Name:         subdomain-mycompany-de
Namespace:    default
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"subdomain-mycompany-de","namespace":"default"},"spe...
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Cluster Name:
  Creation Timestamp:  2018-07-20T15:36:46Z
  Generation:          1
  Resource Version:    719320
  Self Link:           /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/subdomain-mycompany-de
  UID:                 b5e9fbee-8c32-11e8-9e8f-fa163e1d1396
Spec:
  Acme:
    Config:
      Domains:
        subdomain.mycompany.de
      Http 01:
        Ingress:
        Ingress Class:  nginx
  Common Name:          subdomain.mycompany.de
  Dns Names:
    subdomain.mycompany.de
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-cluster-staging
  Secret Name:  subdomain-mycompany-de-tls
Status:
  Acme:
    Order:
      Challenges:
        Authz URL:  https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxx
        Domain:     subdomain.mycompany.de
        Http 01:
          Ingress:
          Ingress Class:  nginx
        Key:              xxxxxFiHeLU2Mu18KOccr63oxBjj9W01Gc-b8.ADlfw80vNARKHaZxbOEIBTIhxtsS468HGAWRDzGJgiM
        Token:            xxxxxFiHeLU2Mu18KOccr63oxBjj9W01Gc-b8
        Type:             http-01
        URL:              https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxxxx
        Wildcard:         false
      URL:                https://acme-staging-v02.api.letsencrypt.org/acme/order/xxxxx
  Conditions:
    Last Transition Time:  2018-07-23T07:13:19Z
    Message:               http-01 self check failed for domain "subdomain.mycompany.de"
    Reason:                ValidateError
    Status:                False
    Type:                  Ready
Events:                    <none>
>

The authz link to letsencrypt returns something like

{
  "identifier": {
    "type": "dns",
    "value": "subdomain.mycompany.de"
  },
  "status": "pending",
  "expires": "2018-07-27T12:11:51Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxxxxx7tMS6U-U3lscLB2qNJP_mWSG4ef2JE/150756494",
      "token": "xxxxxNATFiHeLU2Mu18KOccr63oxBjj9W01Gc-b8"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxxxxx7tMS6U-U3lscLB2qNJP_mWSG4ef2JE/150756495",
      "token": "xxxxxMeMbOfN_AZu6H02hg-O8dlxgSLxNJ7aTBwb28"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxxxxx7tMS6U-U3lscLB2qNJP_mWSG4ef2JE/150756496",
      "token": xxxxxYzOzf44O9hyrfs9bQn4-XYYjMySoY6VQhUA"
    }
  ]
}

I have two hypotheses what could be wrong, but don’t know how to test them:

  1. something is wrong within the cluster (the acme/autocert: host not configured response)
  2. I hit the letsencrypt rate limits (not sure if the pending from the authz actually indicates that)

My gut feeling is that the first is more likely, or even that both issues apply.

Can somebody help me to test & fix this?

thanks in advance!
michael